W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2012

Re: #385: HTTP2 Upgrade / Negotiation

From: Willy Tarreau <w@1wt.eu>
Date: Thu, 25 Oct 2012 09:29:42 +0200
To: Gabriel Montenegro <Gabriel.Montenegro@microsoft.com>
Cc: Mark Nottingham <mnot@mnot.net>, Amos Jeffries <squid3@treenet.co.nz>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <20121025072942.GD15587@1wt.eu>
Hi Gabriel,

On Thu, Oct 25, 2012 at 07:02:34AM +0000, Gabriel Montenegro wrote:
> > On the other hand, the Upgrade-based negotiation is pessimistic; it assume
> > that something will go wrong until we prove that both ends speak the same
> > language. It'll be fast but have some limitations at the start (as discussed).
> 
> I've been thinking about this, and think we may be able to make it more optimistic after the first exchange.
> 
> This is the scenario:
> 1. client has no prior knowledge whether this server supports http2 on this port in the clear.
> 2. client performs Upgrade (presumably, he'd be using NPN if over SSL)
> 3. server sends 101 back.
> 4. they now speak http2, and the client learns that this server speaks http2 at this port.
> 5. time passes, and this http2 connection goes away.
> 6. a subsequent message from client to server (without a pre-existing http2 connection) could bypass the Upgrade and send http2 frames directly.
> 
> This would require the server to be able to detect if any given message is
> either http 1.X or http 2. Given the binary framing of the latter, it seems
> possible to figure out how to make this unambiguous at the server.
> 
> Comments?

This cannot work in environment where transparent protocol analysers and
intercepting proxies are installed. The first success only means one thing,
which is that the scenario used along the whole path works, it does not
preclude that changing the opening handshake would too woke. Two examples :

- in March I informed the hybi WG that I got a report from a user that
  Trend Micro's OfficeScan installed on his machine was blocking WS
  upgrades because it was analysing exchanges between the browser and
  the outer world and did not like 101 responses. When this program
  is eventually fixed, it will still inspect contents and expect HTTP
  to be spoken there, which would not be the case on the second handshake ;

- I was aware of an ISP combining haproxy + squid to save on bandwidth costs.
  The principle was very simple, haproxy was set up as an intercepting proxy
  at the border, and balanced the load across a squid farm. Haproxy was
  configured to bypass squid for websocket since there was no added value
  in solliciting the caches for this. Haproxy doesn't understand websocket,
  it only understands HTTP/1.1 and its associated Upgrade mechanism. If you
  start sending non-HTTP/1.1 frames at it while it expects HTTP, you can be
  sure to get a 400/badreq quickly in return (at least once the protocols
  diverge).

So what we learn from the first successful connection is that we should
continue to use the same mechanism.

However I think we should experiment with the same principle as pipelining, ie
when a handshake has worked once, we can probably start sending HTTP/2 frames
after the initial client handshake without waiting for a response since we know
that the whole path supports the Upgrade well.

Regards,
Willy
Received on Thursday, 25 October 2012 07:30:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 25 October 2012 07:30:35 GMT